Symantec
A group of cyberattackers has created a new strain of malware dedicated to transforming vulnerable IoT devices into slave components for DDoS attacks.
The new malware, dubbed linux/IRCTelnet, was discovered by researchers who posted an analysis of the malicious code on Malware must die.
According to the team, Linux/IRCTelnet is similar to malware strains used to hijack vulnerable Internet of Things (IoT) devices -- such as routers, smart lighting systems, VCRs, and surveillance cameras -- but has been coded partially with the Tsunami/Kaiten protocol and Bashlite.
As the malware has been written to tackle IoT devices which often have either default or hard-coded credentials which allow for easy access, there are no persistence features. In addition, the malicious code includes additional messaging and code for a variety of attack vectors.
"The malware (the bot client) is designed to aim IoT device via telnet protocol, by using its originally coded telnet scanner function, which is brute-forcing the known vulnerable credential of the Linux IoT boxes, via command sent from a CNC malicious IRC server," the advisory reads.
The researcher says that script hard-coded into the malware in Italian suggests the author may be from Italy.
Linux/IRCTelnet is able to attack through both the IPv4 and IPv6 protocols and is based on the source code of the Aidra botnet. In the past, Aidra has been known to infect internet-connected devices, included embedded systems , to carry out DDoS attacks.
Since the source code of theMirai botnet went open-source following a620 Gbps attack on the prominent security blog Krebs on Security, it is unsurprising that more cyberattackers are looking at vulnerable IoT devices and botnets to carry out attacks. The code is there, the IoT devices with lax security are available, and all it takes is the right kind of malware to connect the dots.